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(54) System for monitoring network for cracker attack 



(57) A sensor (7) is provided at the gateway of a 
local area network (1) for successively acquiring IP 
packets passing through the gateway. The sensor (7) 
detects various cracker attacks against the network (1) 
based on the acquired IP packets. Information as to 
attacks detected by the sensor (7) is given to a director 



(6) which controls a firewall (2) at the gateway of the net- 
work (1). Based on the given information, the director 
(6) controls settings for the firewall (2) to prevent IP 
packets associated with the detected attacks from 
entering the local area network (1). 
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Description 

BACKGROUND OF THE INVENTION 
Field of the Invention: 

[0001] The present invention relates to a system for 
monitoring a local area network (LAN) for attacks made 
by crackers via the Internet, and protecting the network 
against those attacks. 

Description of the Related Art: 

[0002] In recent years, many local area networks 
(LANS) constructed in organizations such as compa- 
nies are connected to the Internet for exchanging vari- 
ous items of information or communicating with other 
networks. For such communications, the IP (Internet 
Protocol) is used as a protocol mainly corresponding to 
a network layer in a so-called OSI hierarchical model, 
and communication data are exchanged in the form of 
IP packets. It is customary to use the TCP (Transmis- 
sion Control Protocol) or the UDP (User Datagram Pro- 
tocol) as a protocol mainly corresponding to a transport 
layer that is higher in rank than the above network layer. 
[0003] The networks of the type described above 
are advantageous In that they can exchange a wide 
variety of different items of information at a low cost with 
servers and other networks on the Internet. However, 
since the Internet is highly accessible to the public, the 
networks connected to the Internet are always subject 
to attacks from so-called crackers (i.e. ill-willed hack- 
ers). Therefore, the networks are required to be pro- 
tected against such attacks. 

[0004] One known system for protecting a network 
against attacks is a firewall (specifically, a computer 
having the function of a firewall) at the gateway of the 
network. The firewall serves to prevent communications 
of the types prescribed by the network administrator 
from occurring between the network and external net- 
works. The types of such communications can be spec- 
ified by source IP addresses, destination IP addresses, 
and destination port numbers that are contained in IP 
packets, for example. 

[0005] The firewall is capable of inhibiting hosts 
(computers) which have certain IP addresses in the net- 
work and certain port numbers of the hosts from being 
accessed from external networks, and also inhibiting 
the network from being accessed by IP addresses other 
than certain IP addresses outside of the network. Con- 
sequently, if the types of communication data that are to 
be inhibited from entering the network are rigorously 
established with respect to the firewall, then it is possi- 
ble for the firewall to reduce the danger of attacks 
against the network. 

[0006] However, in order for the network administra- 
tor to establish those types of communication data, the 
network administrator needs to have a high level of 



knowledge and understanding about a wide range of 
network-related technologies, including communication 
technology, network technology, and cracker's attack 
schemes, and also to be well knowledgeable about indi- 

5 vidual network's structures and operating details. 

[0007] The types of communications to be blocked 
by the firewall have to be determined in view of what 
information is to be used and provided to external net- 
works by hosts in the network to be protected, what 

10 information is to be protected in the network, and what 
attacks are expected to be launched on the network. 
Highly skilled network engineers are required to deter- 
mine those types of communications to be blocked by 
the firewall. If the scale of a network to be protected is 

15 relatively large or a network to be protected handles a 
vast variety of information, then it is difficult for even 
highly skilled network engineers to make appropriate 
settings for the types of communications to be blocked 
by the firewall. When the structure of a network is 

20 changed, or a network is actually attacked by a cracker, 
or a newly planned attack is launched on a network, it is 
often necessary to reconstruct settings for the firewall. 
To this end, the entire system including the firewall 
needs to be continuously operated and managed. 

25 [0008] Consequently, establishing proper settings 
for a firewall and continuously operating and managing 
a firewall require a large expenditure of labor of skilled 
engineers and a large expenditure of cost. 
[0009] The conventional firewall of a network is 

30 designed to preclude all communications which are 
possible to attack the network. Therefore, the types of 
communications that are inhibited by firewall settings 
are uniformly excluded regardless of whether those 
communications are due to cracker's attacks. Stated 

35 otherwise, the freedom of communications between the 
network and external, networks is unduly limited. 
Accordingly, a network with a firewall suffers a limitation 
on information providing services that are available on 
the Internet As a result, the network is unable to enjoy 

40 many information resources on the Internet. 

SUMMARY OF THE INVENTION 

[0010] The present invention seeks to provide a 
45 network monitoring system of a simple arrangement 
which is capable of automatically detecting a cracker 
attack on a network and protecting the network against 
the cracker attack without imposing undue limitations on 
the traffic of communications and also without requiring 
50 the labor of a skilled engineer. 

[0011] There is provided, in accordance with the 
present invention, a system for monitoring a network 
which performs communications based on IP (Internet 
Protocol), for a cracker attack, comprising attack detect- 
55 ing means disposed at a gateway of the network, for 
successively acquiring IP packets passing through the 
gateway, storing the acquired IP packets accumula- 
tively, and monitoring the stored IP packets to detect a 
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cracker attack against the network, and processing 
means for effecting a predetermined process depend- 
ing on the cracker attack when the attack detecting 
means detects the cracker attack. 
[0012] The inventors of the present invention have 
studied various cracker attack schemes, and found that 
each of many attack types has a characteristic relation 
to a plurality of IP packets which are transmitted succes- 
sively or intermittently when each of the attacks hap- 
pens. Therefore, when IP packets passing through the 
gateway of the network are successively acquired, 
stored and monitored, it is possible to detect a cracker 
attack against the local area network on a real-time 
basis. When a cracker attack is detected, the process- 
ing means takes an appropriate action such as alarming 
to a network administrator or cutting off communications 
from the cracker for thereby protecting the network 
against the attack. Generally, it takes a relatively long 
period of time before a cracker attack produces a suffi- 
cient effect on the network. Therefore, any damage to 
the network by a cracker attack can sufficiently be held 
to a minimum by taking an action to protect the network 
when the cracker attack is detected or with a slight delay 
after the cracker attack is detected. 
[0013] Since the system according to the present 
invention can detect a cracker attack on a real-time 
basis, a protective measure may be taken only when the 
cracker attack is detected. Therefore, the network 
administrator or security personnel are not required to 
refer to a log file (communication records) as frequently 
as heretofore. Furthermore, an expenditure of labor for 
predicting cracker attacks on the network may be 
reduced when the network is constructed or rear- 
ranged. When no cracker attacks are detected, it is not 
necessary to limit communications between the net- 
work and external networks in anticipation of possible 
cracker attacks, and hence the freedom of communica- 
tions between the network and external networks can 
be increased. 

[0014] Consequently, the system according to the 
present invention is of a relatively simple arrangement 
and capable of automatically detecting a cracker attack 
on the network and protecting the network against the 
cracker attack without imposing undue limitations on the 
traffic of communications and also without requiring the 
labor of a skilled engineer. 

[0015] The attack detecting means may comprise 
means for receiving all IP packets passing through the 
gateway of the network. This allows cracker attacks of 
many types to be detected quickly. 
[0016] The attack detecting means may comprise 
means for receiving only IP packets. 
{0017] Because the attack detecting means does 
not transmit its own information such as its own IP 
address and MAC (Media Access Control) address to 
the network, the attack detecting means is not recog- 
nized for its existence and not attacked by crackers. 
Thus, the attack detecting means is secure and the sys- 



tem is reliable. 

[0018] The attack detecting means may comprise 
means for holding an algorithm for detecting a plurality 
of types of cracker attacks, and detecting the types of 

5 cracker attacks from the IP packets acquired and stored 
by the attack detecting means based on the algorithm. 
[0019] The algorithm can detect a plurality of types 
of cracker attacks for increased security of the network. 
The algorithm may be updated for protection against 

10 attacks of new types. 

[0020] The attack detecting means may comprise 
means for classifying a plurality of the IP packets 
acquired and stored by the attack detecting means 
according to at least source IP addresses and/or desti- 

15 nation IP addresses and holding the classified IP pack- ' 
ets, and detecting the types of cracker attacks from the 
classified IP packets. 

[0021] In order to detect attacks of plural types, 
source IP addresses and destination IP addresses 

20 (which are given to IP headers) of IP packets often pro- 
vide an important key. When IP packets acquired within 
a predetermined time are classified according to source 
IP addresses and/or destination IP addresses and held, 
cracker attacks can easily be detected from the IP pack- 

25 ets. 

[0022] Specifically, the attack detecting means 
detect attacks of various types as follows: 
[0023] An attack of a first type made by crackers is 
generally called a "port scan B . The attack of this type 

30 does not directly cause damage to the network, but is 
frequently used as a preliminary attack. For making the 
attack of this type, the cracker repeatedly transmits IP 
packets from its own managed host to the network 
under attack while changing destination IP addresses 

35 and destination port numbers in the IP packets, and 
observes responses to the transmitted IP packets for 
thereby searching for an IP address and a port number 
that are used by the network for communication with 
external networks without being limited by a firewall or 

40 the like. The port number represents a service type, 
e.g., telnet, ftp, smtp, tftp, or the like, of application soft- 
ware on TCP or UDP, and serves as data given to a TCP 
header or a UDP header in the IP packet 
[0024] In the port scan attack, the above IP packets 

45 are usually transmitted using dedicated tool software, 
and a number of IP packets whose destination IP 
addresses and port numbers are different from each 
other and whose source IP addresses are the same as 
each other are transmitted to the network under attack 

so within a relatively short time. 

[0025] According to the present invention, the 
attack detecting means may comprise means for detect- 
ing a cracker attack of a first type when the IP packets 
acquired and stored by the attack detecting means 

55 include at least a predetermined number of IP packets, 
which are transmitted to the network from an external 
network within a predetermined time, and whose at 
least source IP addresses are the same as each other 
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and whose destination IP addresses or destination port 
numbers are different from each other. 
[0026] In this manner, the system is capable of reli- 
ably detecting an attack of the first type called a port 
scan. 5 
[0027] An attack of a second type made by crackers 
is generally called "Syn-flood (TCP Syn-flood)\ The 
attack of this type makes a host in the network go down 
using the characteristics of the TCP. 

[0028] Specifically, for performing communications 10 
between two hosts according to the TCP, a logical con- 
nection is opened between the hosts. For opening such 
a logical connection, a Syn IP packet (an IP packet con- 
taining TCP Syn-signal) is transmitted from one of the 
hosts to the other. The Syn IP packet is an IP packet 15 
whose source IP address is the IP address of the one 
host and whose destination IP address is the IP address 
of the other host, with only a Syn bit of Syn and Ack bits 
in the TCP header in the IP packet being set to "1 
[0029] In opening the connection, the other host 20 
which has received the Syn IP packet transmits a 
Syn/Ack IP packet (an IP packet containing TCP 
Syn/Ack signal) to the one host The Syn/Ack IP packet 
is an IP packet whose source IP address is the IP 
address of the other host and whose destination IP 25 
address is the IP address of the one host, with both Syn 
and Ack bits in the TCP header in the IP packet being 
set to "1*. 

[0030] In opening the connection, the one host 
which has received the Syn/Ack IP packet transmits an 30 
Ack IP packet to the other host. When the other host 
receives the Ack IP packet, the logical connection is 
opened between the two hosts. The Ack IP packet is an 
IP packet whose source IP address and destination IP 
address are the same as the Syn IP packet, with only an 35 
Ack bit of Syn and Ack bits in the TCP header in the IP 
packet being set to "I". 

[0031] The Syn-flood is an attack using the above 
characteristics of the TCP. In this attack, the cracker 
transmits a number of Syn IP packets to a particular 40 
host in the network under attack within a relatively short 
time. When a Syn/Ack IP packet is transmitted from the 
particular host in response to the Syn IP packets, the 
cracker does not transmit an Ack IP packet. When this 
attack is made, the particular host transmits a Syn/Ack 45 
IP packet in response to the first transmitted Syn IP 
packet, and thereafter waits for an Ack IP packet for a 
predetermined time (generally 2 minutes) unless an Ack 
IP packet is transmitted within the predetermined time. 
Each time a new Syn IP packet is transmitted, the par- 50 
ticular host stores in a communication processing buffer 
area information as to the new Syn IP packet in order to 
successively complete connection opening processes 
for the new Syn IP packets. Since the buffer area has a 
limited size, when the buffer area becomes full, the par- 55 
ticular host can no longer perform communications 
according the TCP and services on the TCP. As a result, 
the particular host under attack goes down. 



6 

[0032] In the attack of this type (Syn-flood). as 
described above, a relatively large number of Syn IP 
packets are transmitted to a particular host under 
attack, i.e., a host having a particular IP address, in the 
network within a relatively short time. In response to the 
transmitted Syn IP packets, the particular host transmits 
many Syn/Ack IP packets out of the network within a rel- 
atively short time. However, an Ack packet to be finally 
transmitted to the particular host in response to the Syn 
IP packets or the Syn/Ack IP packets is not transmitted. 
[0033] According to the present invention, the 
attack detecting means may comprise means for detect- 
ing a cracker attack of a second type when the IP pack- 
ets acquired and stored by the attack detecting means 
include at least a predetermined number of Syn IP 
packets based on TCP, which are transmitted to the net- 
work from an external network within a predetermined 
time, and whose at least destination IP addresses are 
the same as each other, and when an Ack IP packet 
based on the TCP which has the same source IP 
address and destination IP address as each of the Syn 
IP packets is not acquired within the predetermined 
time. 

[0034] Alternatively, the attack detecting means 
may comprise means for detecting a cracker attack of a 
second type when the IP packets acquired and stored 
by the attack detecting means include at least a prede- 
termined number of Syn/Ack IP packets based on TCP, 
which are transmitted to the network from an external 
network within a predetermined time, and whose at 
least destination IP addresses are the same as each 
other, and when an Ack IP packet based on the TCP 
which has the same source IP address and destination 
IP address as the source IP address and destination IP 
address of each of the Syn/Ack IP packets is not 
acquired within the predetermined time. 
[0035] Consequently, the attack of the second type 
known as Syn-flood can reliably be detected. 
[0036] An attack of a third type made by crackers is 
generally called Teardrop". The attack of this type 
makes a host in the network go down using the charac- 
teristics of a process of dividing an IP packet (so-called 
IP fragments). 

[0037] While an IP packet is transferred via routers 
in the Internet, the IP packet may possibly be divided 
due to the data processing capacity of each router. An 
error may possibly occur for example depending on the 
bad condition of telephone line when an IP packet is 
transferred via many routers, and when such an error 
occurs, the router retransmits the IP packet. Therefore, 
a host having the destination IP address of the IP packet 
may receive a plurality of divisions of the same IP 
packet. In communications based on the IP layer, when 
a host for finally receiving an IP packet, i.e. a host hav- 
ing the destination IP address, has received divisions of 
an IP packet, the host stores the received divisions of 
the IP packet until it receives all the remaining divisions 
of the IP packet. When the host has received all the divi- 
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sions of the IP packet, the host processes the divisions 
of the IP packet to restore the data of the original IP 
packet. 

[0038] The Teardrop" is an attack using the charac- 
teristics of the process of divided IP packets. In this 
attack, the cracker transmits a number of the same divi- 
sions of an IP packet to a particular host in the network 
under attack, and then transmits the remaining divisions 
of the IP packet to the particular host. Under this attack, 
when the particular host has finally received the remain- 
ing divisions of the IP packet, the particular host per- 
forms a process of restoring the original IP packet from 
the remaining divisions of the IP packet and the previ- 
ously transmitted divisions of the IP packet Since such 
a restoring process uses big size of memory and takes 
a long period of time to perform, the particular host goes 
down in reality. 

[0039] in the attack of this type (Teardrop), a 
number of the same divisions of an IP packet are trans- 
mitted to a certain host in the network within a relatively 
short time. 

[0040] According to the present invention, the 
attack detecting means may comprise means for detect- 
ing a cracker attack of a third type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of the same 
divisions of an IP packet, which are transmitted to the 
network from an external network within a predeter- 
mined time. 

[0041] As a consequence, the attack of the third 
type, known as Teardrop can reliably be detected. 
[0042] An attack of a fourth type made by crackers 
is generally called "Land". The attack of this type is an 
attack to transmit an IP packet whose source IP address 
and destination IP address are the same as each other, 
i.e., an IP packet which does not normally occur, to a 
particular host in the network under attack. The particu- 
lar host to which such an IP packet is transmitted often 
needs a time-consuming process to process the IP 
packet, and frequently goes down. 
[0043] In the attack of this type, an I P packet whose 
source IP address and destination IP address are the 
same as each other is transmitted to the particular host 
in the network. Generally, a plurality of such IP packets 
are transmitted to the particular host in a relatively short 
time. 

[0044] According to the present invention, the 
attack detecting means may comprise means for detect- 
ing a cracker attack of a fourth type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of IP packets, 
which are transmitted to the network from an external 
network within a predetermined time, and whose source 
IP addresses are the same as destination IP addresses 
thereof. 

[0045] Thus, the attack of the fourth type called 
Land can reliably be detected. 

[0046] The above attacks known as Syn-flood, 



Teardrop, and Land generally belong to attacks called 
DoS (Denial of Service). The DoS also includes an 
attack type called Smurf and an attack type called 
Floodie. Though the attacks called Syn-flood, Teardrop, 

5 and Land have been described as examples, the sys- 
tem according to the present invention may be arranged 
to detect attacks called Smurf and Floodie. 
[0047] An attack of a fifth type made by crackers is 
an attack attempting to acquire the password of a user 

w of a particular host in the network. In this attack, the 
cracker logs in the particular host according to telnet or 
the like, using a user name of the particular host in the 
network under attack, and attempts to operate the host 
using a number of passwords selected from a certain 

15 dictionary file or the like. If the cracker can operate the 
host with a password, then the cracker is able to recog- 
nize the password. In general, passwords can be 
entered into the host in an infinite number of attempts. 
Accordingly, the cracker can acquire a password if the 

20 entry of passwords is attempted in a long period of time. 
[0048] In the attack of this type, a number of IP 
packets having the same user name data and also hav- 
ing passwords which are different from each other are 
transmitted to a particular host in the network under 

25 attack. 

[0049] According to the present invention, there- 
fore, the attack detecting means may comprise means 
for detecting a cracker attack of a fifth type when the IP 
packets acquired and stored by the attack detecting 

30 means include at least a predetermined number of IP 
packets, which are transmitted to the network from an 
external network in order to operate a host in the net- 
work within a predetermined time, and whose user 
name data of the host are the same as each other and 

35 whose passwords of the host are different from -each 
other. 

[0050] Consequently, the attack attempting to 

acquire a password can reliably be detected. 

[0051 ] An attack of a sixth type made by crackers is 

40 an attack to cause a particular host in the network to 
perform a process (so-called route command) that can 
only be executed by limited persons such as the net- 
work administrator with a dedicated password entered. 
This attack uses a bug referred to as a security hole of 

45 an OS (Operating System) installed in the host under 
attack. 

[0052] Specifically, a host with UNIX (trademark of 
AT&T) installed as the OS has a security hole referred to 
as a buffer overflow. The security hole is such that when 

so relatively large data (representing 128 or more charac- 
ters) is transmitted at once for "Ipr" indicative of a printer 
logical name, the buffer overflows, and the overflowing 
data is a route command, the route command is exe- 
cuted even if a password of the network administrator is 

55 not entered. 

[0053] The attack of the sixth type attacks a security 
hole referred to as a buffer overflow. In this attack, an IP 
packet having a data sequence including a predeter- 
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mined pattern of data, such as a data sequence having 
at least a predetermined size for "Ipr", is transmitted to 
the particular host in the network. 
[0054] Therefore, according to the present inven- 
tion, the attack detecting means may comprise means 
for detecting a cracker attack of a sixth type when the IP 
packets acquired and stored by the attack detecting 
means include an IP packet whichh has a data 
sequence having a predetermined pattern of data for 
attacking a security hole called a buffer overflow. 
[0055] The attack of the sixth type can thus be 
detected. 

[0056] The processing means may comprise 
means for generating a report output representing the 
detection of the cracker attack in the predetermined 
process. The report output thus generated allows the 
network administrator or an out side engineer to take a 
measure for excluding the detected attack. 
[0057] The processing means may comprise 
means for preventing an IP packet having a source IP 
address and/or a destination IP address associated with 
the attack detected by the attack detecting means, from 
entering the network in the predetermined process, for a 
predetermined time after the attack detecting means 
detects the attack. 

[0058] Therefore, communications from the cracker 
to the network or communications to the host under 
attack are automatically cut off, protecting the network 
on a real-time basis in response to the detection of the 
attack. Furthermore, the lapse of the predetermined 
time after the attack detecting means detected the last 
attack makes free communications between the net- 
work and the external network possible without limita- 
tion of predetermined process by the processing 
means. 

[0059] More specifically, the processing means may 
comprise means for preventing an IP packet having the 
same source IP address as the source IP addresses 
associated with the attack of the first type detected by 
the attack detecting means, from entering the network 
for a predetermined time after the attack detecting 
means detects the attack of the first type, in the prede- 
termined process. 

[0060] Since the source IP address is the IP 
address of the host which the cracker is using in the port 
scan attack, the IP packet transmitted to the network 
with the above IP address as its source IP address is 
blocked from the network for the predetermined time 
after the attack is detected. Therefore, the cracker is 
unable to communicate with the network from the host 
having the above source IP address for the predeter- 
mined time after the attack is detected, and cannot 
obtain information relative to the network. Insofar as the 
port scan attack is continuously made, it is detected 
from time to time. Therefore, while the port scan attack 
is continuing, the cracker is unable to communicate with 
the network in reality. 

[0061] If the attack of the second type referred to as 



Syn-flood is detected on the basis of the Syn IP packet 
as described above, then the processing means may 
comprise means for preventing an IP packet having the 
same destination IP address as each said Syn IP 

5 packet from entering the network for a predetermined 
time after the attack detecting means detects the attack 
of the second type, in the predetermined process. 
[0062] Specifically, since the destination IP address 
of each the Syn IP packet is the IP address of the host 

10 attacked by Syn-flood, the IP packet having the IP 
address of the host as the destination IP address is 
blocked from the network for the predetermined time 
after the attack detecting means detects the attack. 
[0063] If the Syn-flood attack is detected on the 

is basis of the Syn/Ack IP packet as described above, then 
the processing means may comprise means for pre- 
venting an IP packet having the same destination IP 
address as the source IP address of each said Syn/Ack 
IP packet from entering the network for a predetermined 

20 time after the attack detecting means detects the attack 
of the second type, in the predetermined process. 
[0064] Specifically, each said Syn/Ack IP packet is a 
packet with which the host in the network responds to 
the cracker with respect to a Syn IP packet transmitted 

25 to the network from a host under the control of the 
cracker attempting to make the Syn-flood attack. There- 
fore, the source IP address of each said Syn/Ack IP 
packet is the IP address of the host under the Syn-flood 
attack. Therefore, the IP packet transmitted to the net- 

30 work with the IP address of the host in the network 
being used as the destination IP address is blocked 
from the network. 

[0065] As described above, because the IP packet 
of the Syn-flood attack is prevented from entering the 

35 network, no IP packets such as Syn IP packets are 
transmitted to the host in the network under attack for 
the predetermined time. If the host under attack fails to 
normally complete the opening of a connection within a 
certain time (normally 2 minutes) with respect to the 

40 previously transmitted Syn IP packet, then the host 
automatically stops opening the connection. Accord- 
ingly, the host can recover its norrhal state within the 
predetermined time because no IP packets are trans- 
mitted for the predetermined time. 

45 [0066] Therefore, according to the present inven- 
tion, the processing means may comprise means for 
preventing an IP packet having the same source IP 
address as each said Syn IP packet from entering the 
network for a predetermined time after the attack 

so detecting means detects the attack of the second type, 
in the predetermined process. 

[0067] Alternatively, the processing means may 
comprise means for preventing an IP packet having the 
same source IP address as the destination IP address 
55 of each said Syn/Ack IP packet from entering the net- 
work for a predetermined time after the attack detecting 
means detects the attack of the second type, in the pre- 
determined process. 
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[0068] Specifically, in the Syn-flood attack, when 
the cracker transmits Syn-flood IP packets, the cracker 
may falsify source IP addresses or change source IP 
addresses. Generally, however, the source IP address 
of each said Syn IP packet or the destination IP address 
of a corresponding Syn/Ack IP packet is highly likely to 
be the IP address of the host under the control of the 
cracker. Therefore, the IP packet with the above IP 
address used as the destination IP address is blocked 
from the network for the predetermined time after the 
attack is detected. The network can thus be protected 
more effectively against the cracker attack. 
[0069] Furthermore, the predetermined time for 
which an IP packet having the same source IP address 
as each said Syn IP packet or the same source IP 
address as the destination IP address of each said 
Syn/Ack IP packet is prevented from entering the net- 
work is longer than the predetermined time for which an 
IP packet having the same destination IP address as 
each said Syn IP packet or the same destination IP 
address as the source IP address of each the Syn/Ack 
IP packet is prevented from entering the network. 
[0070] Specifically, the time for which communica- 
tions with the host under the Syn-flood attack are cut off, 
i.e., the latter predetermined time, is sufficient if it is 
about a time in which the host can recover its normal 
state from the attack. However, the time for which com- 
munications from the host highly possibly under the 
control of the cracker to the network, i.e., the former pre- 
determined time, should preferably be relatively long for 
the standpoint of network protection. Accordingly, the 
former predetermined time is made longer than the lat- 
ter predetermined time. 

[0071 ] With the above time settings, it is possible to 
sufficiently protect the network against the Syn-flood 
attack while providing as much freedom as possible of 
communications between hosts In the network and 
external networks. 

[0072] If the attack of the third type referred to, as 
Teardrop is detected, then the processing means may 
comprise means for preventing an IP packet having the 
same destination IP address as the destination IP 
address of each the divided IP packet from entering the 
network for a predetermined time after the attack 
detecting means detects the attack of the third type, in 
the predetermined process. 

[0073] Specifically, the destination IP address of the 
divided IP packet is the IP address of the host under the 
Teardrop attack. Therefore, the IP packet having the IP 
address of the host as its destination IP address is 
blocked from the network for the predetermined time 
after the attack is detected. Therefore, IP packets such 
- as divided IP packets are not transmitted to the host in 
the network under the Teardrop attack for the predeter- 
mined time. Unless the host under attack receives 
remaining divided IP packets corresponding to the pre- 
viously transmitted divided IP packets within a certain 
time (normally 2 minutes), the host automatically stops 



communications based on those IP packets. Accord- 
ingly, since no IP packets are transmitted for the prede- 
termined time, the host can recover its normal state 
within the predetermined time. 

5 [0074] According to the present invention, further- 
more, if the Teardrop attack is detected, then the 
processing means may comprise means for preventing 
an IP packet having the same source IP address as the 
source IP address of each said divided IP packet from 

w entering the network for a predetermined time after the 
attack detecting means detects the attack of the third 
type, in the predetermined process. 
[0075] As with the Syn-flood attack, the source IP 
address of the divided IP packet is highly likely to be the 

is IP address of the host under the control of the cracker. 
Therefore, the IP packet with the above IP address used 
as the source IP address is blocked from the network for 
the predetermined time after the attack is detected. The 
network can thus be protected more effectively against 

20 the cracker attack. 

[0076] The predetermined time for which an IP 
packet having the same source IP address as the 
source IP address of each the divided IP packet is pre- 
vented from entering the network is longer than the pre- 

25 determined time for which an I P packet having the same 
destination IP address as the destination IP address of 
each the divided IP packet is prevented from entering 
the network. 

[0077] Specifically, as with the Syn-flood attack, the 

30 time for which communications with the host under the 
Teardrop attack are cut off, i.e., the latter predetermined 
time, is sufficient if it is about a time within which the 
host can recover its normal state from the attack. How- 
ever, the time for which communications from the. host 

35 highly possibly lie under the control of the cracker to the 
network, i.e., the former predetermined time, should 
preferably be relatively long for the standpoint of net- 
work protection. Accordingly, the former predetermined 
time is made longer than the latter predetermined time. 

40 [0078] With the above time settings, it is possible to 
sufficiently protect the network against the Teardrop 
attack while providing as much freedom as possible of 
communications between hosts in the network and 
external networks. 

45 [0079] If the attack of the fourth type called Land is 
detected, the processing means may comprise means 
for preventing an IP packet having the same source IP 
address and destination IP address as each the IP 
packet associated with the attack of the fourth type from 

so entering the network for a predetermined time after the 
attack detecting means detects the attack of the fourth 
type, in the predetermined process. 
[0080] In the Land attack, an IP packet whose 
source (P address and destination IP address are the 

55 same as each other is transmitted. Therefore, the IP 
packet having the same source IP address and destina- 
tion IP address as the above IP packet is blocked from 
the network for the predetermined time after the attack 
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is detected. Therefore, the network can be protected 
against the Land attack. 

[0081] If the attack of the fifth type attempting to 
acquire the password of a user of the host in the net- 
work is detected, then the processing means may com- 5 
prise means for preventing an IP packet having the 
same source IP address and destination IP address as 
each said IP packet associated with the attack of the 
fifth type from entering the network for a predetermined 
time after the attack detecting means detects the attack to 
of the fifth type, in the predetermined process. 
[0082] Specifically, the destination IP address of the 
IP packet associated with the attack of the fifth type is 
the IP address of the host under attack. The source IP 
address of the IP packet is the IP address of the host is 
under the control of the cracker. Therefore, the IP 
packet having the same source IP address and destina- 
tion IP address as the IP packet associated with the 
attack of the fifth type is blocked from the network for the 
predetermined time after the attack is detected. Thus, 20 
even when tile cracker transmits IP packets having vari- 
ous passwords to a particular host in the network, the 
cracker is unable to decide whether the particular host 
can be operated with each of the passwords. As a 
result, the network can be protected against the attack 25 
of the fifth type. 

[0083] If the attack of the sixth type using a securing 
hole is detected, then the processing leans may com- 
prise means for preventing an IP packet having the 
same source IP address and destination IP address as 30 
the I P packet associated with the attack of the sixth type 
from entering the network for a predetermined time after 
the attack detecting means detects the attack of the 
sixth type, in the predetermined process. 
[0084] Specifically, the destination IP address of the 35 
IP packet associated with the attack of the sixth type is 
the IP address of the host under attack. The source IP 
address of the IP packet is the IP address of the host 
under the control of the cracker. Therefore, the IP 
packet having the same source IP address and destina- 40 
tion IP address as the IP packet associated with the 
attack of the sixth type is blocked from the network for 
the predetermined time after the attack is detected. 
Thus, even when the cracker transmits an IP packet for 
attacking a security hole in a particular host in the net- 45 
work, the IP packet is not given to the particular host. As 
a consequence, It is impossible to cause the particular 
host to execute a route command, and and the network 
can be protected against the attack of the sixth type. 
[0085] To protect the network from several types of 50 
attacks especially, there is provided in accordance with 
the present invention a system for monitoring a network 
which performs communications based on IP (Internet 
Protocol), for a cracker attack, comprising attack detect- 
ing means disposed at a gateway of the network, for 55 
successively acquiring IP packets passing through the 
gateway, storing the acquired IP packets accumula- 
tively, holding an algorithm for detecting a plurality of 



types of cracker attacks, and monitoring to detect the 
types of cracker attacks from the acquired and stored IP 
packets based on the algorithm, and processing means 
for preventing an IP packet having a source IP address 
and/or a destination IP address associated with the 
attack detected by the attack detecting means, from 
entering the network in the predetermined process, for a 
time, which is predetermined corresponding to the type 
of the attacks, after the attack detecting means detects 
one of the attacks, in a predetermined process. 
[0086] It is possible to keep down the predeter- 
mined time for preventing the IP packet having a source 
IP address and/or a destination IP address from enter- 
ing the network corresponding to each of the several 
types of the attacks, by preventing an IP packet having 
a source IP address and/or a destination IP address 
associated with the attack detected by the attack detect- 
ing means, from entering the network in the predeter- 
mined process, for a time, which is predetermined 
corresponding to the type of the attacks, after the attack 
detecting means detects one of the attacks. Conse- 
quently the maximum number of opportunities of the 
communications between the network and the external 
network come under the condition that the attacks are 
not detected by the attack detecting means, so the com- 
munications using the Internet are made more conven- 
ient. 

[0087] The system according to the present inven- 
tion which automatically prevents IP packets associated 
with attacks of various types from entering the network 
depending on the detection of the attacks, further com- 
prises a packet filter disposed at the gateway of the net- 
work, for selectively establishing IP packets to be 
prevented from entering the network, the processing 
means comprising means for controlling the packet filter 
to perform the predetermined process. 
[0088] If the packet filter comprises a firewall, for 
example, then the system according to the present 
invention can be constructed using an existing system. 
Generally, a router also has a function as a packet fitter 
though it is less capable of selecting and discarding IP 
packets than the firewall. Accordingly, the router can 
also be used as the packet filter. 

[0089] The above and other objects, features, and 
advantages of the present invention will become appar- 
ent from the following description when taken in con- 
junction with the accompanying drawings which 
illustrate a preferred embodiment of the present inven- 
tion by way of example. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0090] 

FIG. 1 is a block diagram of a system for monitoring 
a network for a cracker attack according to the 
present invention. 



8 



BNSDOCID: <EP 1081B94A1_L> 



15 



EP 1 081 894 A1 



16 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0091] As shown in FIG, 1, a local area network 
(LAN) 1 , which Is constructed using the Ethernet, com- 
prises a plurality of hosts (computers), interconnected 
by Ethernet cables and hubs, not shown. Each of the 
hosts has an Ethernet card connected to the Ethernet 
cable, software for processing TCP/IP, and various 
application software, e.g., telnet, ftp, smtp, etc. function- 
ing on TCP/IP, for making it possible to perform commu- 
nications based on IP. 

[0092] The LAN 1 is not limited to being constructed 
using the Ethernet, but may also be constructed as 
another network form, such as a token-ring network. 
[0093] A system for monitoring the LAN 1 for a 
cracker attack according to the present invention has a 
computer 2 (hereinafter referred to as a firewall 2) hav- 
ing the function of a firewall as a packet filter. The LAN 
1 is connected via the firewall 2 to the Internet 3. The 
firewall 2 has a file of written data (hereinafter referred 
to as a filter setting file) prescribing what types of IP 
packets are inhibited from entering the LAN 1 . When an 
IP packet of a type which is prescribed in the filter set- 
ting file as being inhibited from entering the LAN 1 is 
transmitted from the Internet 3, the firewall 2 discards 
the IP packet, and prevents the IP packet from entering 
the LAN 1 . When an IP packet which is not prescribed in 
the filter setting file as being inhibited from entering the 
LAN 1 is transmitted from the Internet 3, the firewall 2 
transfers the IP packet to the LAN 1 . 
[0094] Between the firewall 2 and the Internet 3, 
there is interposed a hub 4 connected to a sensor 5 
which functions as an attack detecting means. A direc- 
tor 6 which functions as a processing means for control- 
ling the firewall 2 is connected to the sensor 5. Each of 
the sensor 5 and the director 6 comprises a computer. 
[0095] The sensor 5 comprises a UNIX machine, 
for example, and is connected to the hub 4 via an Ether- 
net card 7. The sensor 5 runs installed software that is 
called tcpdump. The software tcpdump acquires or 
hears all IP packets passing through the hub 4 via the 
Ethernet card 7. Such an operation is often referred to 
as a promise cast mode. The sensor 5 stores the 
-acquired IP packets together with time data of the 
acquisition times in a hard disk (not shown). When the 
total number of acquired IP packets stored in the hard 
disk reaches a predetermined allowable number, the 
sensor 5 deletes the oldest IP packet from the hard disk, 
and stores a newly acquired IP packet in the hard disk. 
[0096] The sensor 5 is software-implemented not to 
respond to transmitted packets which demand a 
response, such as packets of ARP (Address Resolution 
Protocol) and RARP (Reverse Address Resolution Pro- 
tocol) which have no IP addresses. Therefore, the sen- 
sor 5 is capable of receiving (reading) only IP packets. 
[0097] The sensor 5 also runs installed software 
(hereinafter referred to as an attack detecting algorithm) 



for detecting attacks of first through sixth types. The 
attack detecting algorithm may be installed in the direc- 
tor 6, and the sensor 5 may process the attack detecting 
algorithm while sending data to and receiving data from 

5 the director 6. 

[0098] The director 6 runs installed software for 
controlling the firewall 2 (hereinafter referred to as a fil- 
ter control algorithm). The filter control algorithm con- 
trols the firewall 2 by appropriately rewriting data in the 

10 filter setting file depending on an attack detected by the 
sensor 5. 

[0099] Operation of the system for monitoring the 
LAN 1 for a cracker attack will be described below. 
[01 00] While storing acquired I P packets in the hard 

15 disk, the sensor 5 performs the following processing in 
each cycle time: The sensor 5 classifies a plurality of IP 
packets at predetermined time intervals from the hard 
disk according to the values of source IP addresses and 
destination IP addresses, and stores the classified IP 

20 packets in a memory (not shown). Specifically, the sen- 
sor 5 puts together those IP packets which have the 
same source IP address and those IP packets which 
have the same destination address, of the plurality of IP 
packets at predetermined time intervals, and stores 

25 those IP packets in the memory (the set of IP packets 
that are thus put together will hereinafter be referred to 
as an IP packet group). The sensor 5 then effects an 
attack detecting process on the stored IP packets, and 
deletes the IP packets from the memory. 

30 [0101] In each cycle time, IP packets stored in the 
memory are acquired after a time upon elapse of a pre- 
determined time from the time at which the oldest IP 
packet of those IP packets stored in the memory in a 
preceding cycle time is acquired. 

35 [0102] The attack detecting process is effected by 
the sensor 5 in each cycle time according to the attack 
detecting algorithm, as follows: 

[0103] The sensor 5 detects an attack of the first 
type, i.e., a port scan, of attacks of the first through sixth 

40 types. Specifically, the sensor 5 extracts the values of all 
destination IP addresses (which are the values of IP 
addresses belonging to the LAN 1) of IP packets con- 
tained in each IP packet group whose source IP 
addresses are the same as each other and are external 

45 to the LAN 1 , among the IP packets stored in the mem- 
ory. The sensor 5 then counts the number of IP packets 
which have the same destination IP address as the 
value of each destination IP address extracted in each 
IP packet group, whose destination port numbers in a 

so TCP header or an UDP header are different from each 
other, and which have been acquired in a continuous 
time, e.g., of 30 seconds, from the IP packet group (the 
IP packet group having the same source IP address). 
[0104] If the counted number reaches a predeter- 

55 mined number, e.g., 20, then the sensor 5 detects a port 
scan attack. The sensor 5 gives data indicative of the 
port scan attack and the data of the values of the source 
IP addresses of the IP packet group whose attack has 
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been detected (the data will hereinafter be referred to as 
detected first-type attack data) to the director 6. 
[0105} The above process is effected successively 
on all the IP packet groups whose source IP addresses 
are the same as each other and do not belong to the 
LAN 1. 

[0106] In the detection of a port scan according to 
the illustrated embodiment, the number of IP packets 
whose destination port numbers are different from each 
other is counted. However, a port scan may be detected 
as follows: The values of all destination port numbers of 
IP packets contained in each IP packet group whose 
source IP addresses are the same as each other and 
are external to the LAN 1 are extracted. Then, the 
number of IP packets which have the same destination 
port number as the value of each extracted destination 
port number, whose destination IP addresses are differ- 
ent from each other, and which have been acquired in a 
continuous time is counted from the IP packet group 
from which the destination port numbers have been 
extracted. If the counted number reaches a predeter- 
mined number, then a port scan is detected. 
[0107] The director 6, which has been supplied with 
the detected first-type attack data from the sensor 5, 
rewrites the filter setting file of the firewall 2 in order to 
prevent IP packets having the same source IP 
addresses as the source IP addresses contained in the 
detected first-type attack data from entering the LAN 1 
for a predetermined time, e.g., of 5 minutes, from the 
present time. At this time, when the IP packets having 
the above source IP addresses are transmitted, the fire- 
wall 2 discards those IP packets to prevent them from 
entering the LAN 1. Accordingly, the LAN 1 is protected 
against a port scan attack. 

[0108] If the director 6 is supplied again with the 
same detected first-type attack data as the previously 
given detected first-type attack data from the sensor 5 
before the above predetermined time of 5 minutes 
elapses, then the director 6 controls the firewall 2 in 
order to prevent IP packets from the source IP 
addresses of the detected first-type attack data from 
entering the LAN 1 for the predetermined time of 5 min- 
utes from the time at which the director 6 is supplied 
again with the detected first-type attack data. If the 
director 6 is not supplied with detected first-type attack 
data before the above predetermined time of 5 minutes 
elapses, then the director 6 cancels the blocking of IP 
packets from the source IP addresses of the detected 
first-type attack data against entry into the LAN 1 . 
[01 09] Having carried out the process of detecting a 
port scan attack as described above, the sensor 5 
effects a process of detecting an attack of the second 
type (Syn-flood). 

[0110] In this detecting process, the sensor 5 suc- 
cessively extracts Syn IP packets, in the order of acqui- 
sition times thereof, contained in each IP packet group 
of destination IP addresses belonging to the LAN 1, of 
IP packet groups whose destination IP addresses are 



the same as each other. The sensor 5 then checks 
whether Syn IP packets acquired within a predeter- 
mined time, e.g., of 2 seconds from the acquisition time 
of each extracted Syn IC packet are present or not in the 

5 IP packet group whose destination IP addresses are the 
same as each other. If such Syn IP packets are present, 
then the sensor 5 counts the number of those Syn IP 
packets including previously extracted Syn IP packets. 
The sensor 5 then checks whether an Ack IP packet 

10 corresponding to each of the counted Syn IP packets 
(specifically, an Ack IP packet having the same source 
IP address as the Syn IP packet and having a sequence 
number next to the sequence number in the TCP 
header of the Syn IP packet) and acquired within the 

t5 predetermined time of 2 seconds from the acquisition 
time of the Syn IP packet is present or not in the IP 
packet group whose destination IP addresses are the 
same as each other. If such an Ack IP packet is present, 
then the sensor 5 decrements the above counted 

20 number by "1". When the presence of corresponding 
Ack IP packets has finally been checked, if the counter 
number is equal to or greater than a predetermined 
number, i.e., 16, then the sensor 5 detects a Syn-flood 
attack. The sensor 5 gives data indicative of the Syn- 

25 flood attack and the data of the values of the source IP 
addresses and the data of the values of the destination 
IP addresses of the Syn IP packet group whose attack 
has been detected (the data will hereinafter be referred 
to as detected second-type attack data) to the director 

30 6. 

[0111] The above process is effected successively 
on all the IP packet groups whose destination IP 
addresses are the same as each other and belong to 
the LAN 1. 

35 [0112] In the illustrated embodiment, a Syn-flood 
attack is detected on the basis of the number of Syn IP 
packets. However, a Syn-flood attack may be detected 
as follows: Syn/Ack IP packets contained in each IP 
packet group whose source IP addresses are the same 

40 as each other and belong to the LAN 1 are successively 
extracted in the order of acquisition times thereof. Then, 
it is checked whether Syn/Ack IP packets acquired 
within a predetermined time, e.g., of 2 seconds from the 
acquisition time of each extracted Syn/Ack IC packet 

45 are present or not in the IP packet group whose source 
IP addresses are the same as each other. If such 
Syn/Ack IP packets are present, then the number of 
those Syn/Ack IP packets Including previously extracted 
Syn/Ack IP packets is counted. Then, an IP packet 

so group having the same destination IP addresses as the 
source IP address of each of the counted Syn/Ack IP 
packets is checked. It is checked whether an Ack IP 
packet corresponding to each of the Syn/Ack IP packets 
(specifically, a Syn/Ack IP packet having the same des- 

55 tination IP address as the source IP address of the 
Syn/Ack IP packet and having an Ack number next to 
the sequence number in the TCP header of the Syn/Ack 
IP packet) and acquired within the predetermined time 
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of 2 seconds from the acquisition time of the Syn/Ack IP 
packet is present or not in the IP packet group. If.such 
an Ack IP packet is present, then the above counted 
number is decremented by "V. When the presence of 
corresponding Ack IP packets has finally been checked, 
if the counter number is equal to or greater than a pre- 
determined number, i.e., 16, then a Syn-flood attack is 
detected. 

[0113] In the above case, the data given from the 
sensor 5 to the director 6 include data indicative of the 
detected Syn-flood attack and the data of the values of 
the source IP addresses and the data of the values of 
the destination IP addresses of the Syn/Ack IP packet 
group. The data of the values of the source IP 
addresses and destination IP addresses of the Syn/Ack 
IP packet group correspond respectively to the data of 
the values of the source IP addresses and the data of 
the values of the destination IP addresses of the Syn IP 
packets in the detected second-type attack data 
described above. 

[0114] The director 6, which has been supplied with 
the detected second-type attack data from the sensor 5, 
rewrites the filter setting file of the firewall 2 in order to 
prevent IP packets having the same source IP 
addresses as the source IP addresses contained in the 
detected second-type attack data from entering the LAN 
1 for a predetermined time, e.g., of 2 minutes, from the 
present time. At the same time, the director 6 rewrites 
the filter setting file of the firewall 2 in order to prevent IP 
packets having the same destination IP addresses as 
the destination IP addresses contained in the detected 
second-type attack data from entering the LAN 1 for a 
predetermined time, e.g., of 2 seconds, from the 
present time. At this time, when the IP packets having 
the above source IP addresses or the IP packets having 
the above destination IP addresses are transmitted from 
the internet 3, the firewall 2 discards those IP packets to 
prevent them from entering the LAN 1 . Accordingly, the 
LAN 1 is protected against a Syn-flood attack, and hosts 
having the IP addresses which are under attack do not 
go down, but return to their normal state. 

v [0115] As in the process of detecting a port scan 
attack, if the director 6 is supplied again with the same 
detected second-type attack data as the previously 
given detected second-type attack data from the sensor 
5 before the above predetermined time of 2 minutes, 
required to preclude IP packets having the source IP 
addresses of the detected second-type attack data, 
elapses, then the director 6 controls the firewall 2 in 
order to prevent IP packets from the source IP 
addresses of the detected second-type attack data from 
entering the LAN 1 for the predetermined time of 2 min- 

■ z utes from the time at which the director 6 is supplied 
again with the detected second-type attackdata. This 
holds true for the exclusion of IP packets having the 
destination IP addresses of the detected second-type 
attack data. Therefore, insofar as a Syn-flood attack 
continues, IP packets from the source IP addresses of 



the Syn-flood attack or IP packets to the destination IP 
addresses of the Syn-flood attack cannot enter the LAN 
1 . With respect to the exclusion of IP packets having the 
source IP addresses of the detected second-type attack 

5 data and the exclusion of IP packets having the destina- 
tion IP addresses of the detected second-type attack 
data, if the director 6 is not supplied with detected sec- 
ond-type attack data before the above predetermined 
times of 2 minutes and 2 seconds elapse, then the 

to director 6 cancels the blocking of IP packets having the 
source IP addresses of the detected second-type attack 
data against entry into the LAN 1, and also cancels the 
blocking of IP packets having the destination IP 
addresses of the detected second-type attack data 

7 5 against entry into the LAN 1 . 

[01 1 6] Having carried out the process of detecting a 
Syn-flood attack as described above, the sensor 5 
effects a process of detecting an attack of the third type 
(Teardrop). 

20 [0117] In this detecting process, the sensor 5 suc- 
cessively extracts divided IP packets contained in each 
IP packet group of destination addresses belonging to 
the LAN 1, of IP packet groups whose destination IP 
addresses are the same as each other. According to IP, 

25 a certain flag in the IP header of each divided packet is 
either "1" or data referred to as a fragment offset is of a 
value greater than "0". A divided packet can be located 
based on this principle. The sensor 5 checks whether 
divided packets (which are the same as the extracted 

30 divided packets) acquired within a predetermined time, 
e.g., of 5 minutes from the acquisition time of each 
extracted divided packet and having the same IP identi- 
fication number in the IP header and the same fragment 
offset as the divided packet are present or not in the 

35 same IP packet group as the divided packet. If such 
divided packets are present, then the number of those 
divided packets including previously extracted divided 
packets is counted. If the counted number is equal to or 
greater than a predetermined number, e.g., 80, then the 

40 sensor 5 detects a Teardrop attack, and gives data 
indicative of the Teardrop attack and the data of the val- 
ues of the source IP addresses and the data of the val- 
ues of the destination IP addresses of the divided 
packets whose attack has been detected (the data will 

45 hereinafter be referred to as detected third-type attack 
data) to the director 6. 

[0118] The above process is effected successively 
on all the IP packet groups whose destination IP 
addresses are the same as each other and belong to 

so the LAN 1 . 

[01 1 9] The director 6, which has been supplied with 
the detected third-type attack data from the sensor 5, 
controls the firewall 2 in exactly tile same manner as 
when a Syn-flood attack is detected. Specifically, the 

55 director 6 rewrites the filter setting file of the firewall 2 in 
order to prevent IP packets having the same source IP 
addresses as the source IP addresses contained in the 
detected third-type attack data from entering the LAN 1 
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for a predetermined time of 2 minutes, from the present 
time. At the same time, the director 6 rewrites the filter 
setting file of the firewall 2 in order to prevent IP packets 
having the same destination IP addresses as the desti- 
nation IP addresses contained in the detected third-type 
attack data from entering the LAN 1 for a predetermined 
time of 2 seconds, from the present time. 
[0120] Accordingly, the LAN 1 is protected against a 
Teardrop attack, and hosts having the IP addresses 
which are under attack do not go down, but return to 
their normal state. 

[01 21 ] Having carried out the process of detecting a 
Teardrop attack as described above, the sensor 5 
effects a process of detecting an attack of the fourth 
type (Land). 

[0122] In this detecting process, the sensor 5 
extracts IP packets having the same source IP 
addresses as the same values as the destination IP 
addresses of each IP packet group of destination IP 
addresses belonging to the LAN 1, of IP packet groups 
whose destination IP addresses are the same as each 
other. The sensor 5 then checks whether IP packets 
having the same source IP addresses as the extracted 
IP packets and acquired within a predetermined time, 
e.g., of 2 minutes from the acquisition time of the IP 
packets are present or not in IP packet groups having 
the same destination IP addresses as the extracted IP 
packets. If such IP packets are present, then the sensor 
5 counts the number of those IP packets including pre- 
viously extracted IP packets. If the counted number is 
equal to or greater than a predetermined number, e.g., 
6, then the sensor 5 detects a Land attack, and gives 
data indicative of the land attack and the data of the val- 
ues of the source IP addresses of the IP packet group 
whose attack has been detected (the data will hereinaf- 
ter be referred to as detected fourth-type attack data) to 
the director 6. 

[0123] The above process is affected successively 
on all the IP packet groups whose destination IP 
addresses are the same as each other and belong to 
the LAN 1. 

[0124] The director 6, which has been supplied with 
the detected fourth-type attack data from the sensor 5, 
rewrites the filter setting file of the firewall 2 in order to 
prevent IP packets having the same source IP 
addresses as the source IP addresses contained in the 
detected fourth -type attack data and having the same 
destination IP addresses as those source IP addresses 
from entering the LAN 1 for a predetermined time, e.g., 
3 minutes, from the present time. When IP packets hav- 
ing the above source IP addresses and destination IP 
addresses are transmitted from the Internet 3, the fire- 
wall 2 discards the IP packets and hence prevents them 
from entering the LAN 1. In this fashion, the LAN 1 is 
protected against a Land attack. 

[0125] As in the process of detecting a port scan 
attack, if the director 6 is supplied again with the same 
detected fourth-type attack data as the previously given 



detected fourth-type attack data from the sensor 5 
before the above predetermined time of 6 minutes, 
required to preclude IP packets having the same source 
IP addresses and destination IP addresses as the 

5 source IP addresses of the detected fourth-type attack 
data, elapses, then the director 6 controls the firewall 2 
in order to prevent IP packets having the source IP 
addresses and destination IP addresses of the detected 
fourth-type attack data from entering the LAN 1 for the 

jo predetermined time of 6 minutes from the time at which 
the director 6 is supplied again with the detected fourth- 
type attack data. Therefore, insofar as a Land attack 
continues, IP packets from the source IP addresses and 
destination IP addresses of the Land attack cannot 

rs enter the LAN 1 . If the director 6 is not supplied with 
detected fourth-type attack data before the above pre- 
determined time of 6 minutes elapses, then the director 
6 cancels the blocking of IP packets having the same 
source IP addresses and destination IP addresses as 

20 the source IP addresses of the detected fourth-type 
attack data against entry into the LAN 1 . 
[0126] In the illustrated embodiment, the data of the 
values of the source IP addresses of IP packets under a 
Land attack are given as detected fourth-type attack 

25 data to the director 6. However, because source IP 
addresses and destination IP addresses of IP packets 
under a Land attack are of the same value, the data of 
the values of the destination IP addresses of IP packets 
under a Land attack, rather than the data of the values 

30 of the source IP addresses thereof, may be given to the 
director 6. 

[01 27] Having carried out the process of detecting a 
Land attack as described above, the sensor 5 effects a 
process of detecting an attack of the fifth type (pass- 

35 word acquisition). 

[0128] In this detecting process, the sensor 5 
extracts IP packets including user name data and pass- 
word data of hosts of the LAN 1 from each IP packet 
group of destination IP addresses belonging to the LAN 

40 1 , of IP packet groups whose destination IP addresses 
are the same as each other. The sensor 5 then counts 
the number of IP packets whose user name data are the 
same as each other, whose password data are different 
from each other, and which have been acquired within a 

45 continuous time, e.g., 2 minutes, among the extracted 
IP packets. If the counter number is equal to or greater 
than a predetermined number, e.g., 20, then the sensor 
5 detects an attack of the fifth type for a cracker to 
acquire a password. The sensor 5 gives data indicative 

so of the attack of the fifth type and the data of the values 
of the source IP addresses and the data of the values of 
the destination IP addresses of the IP packets whose 
attack has been detected (the data will hereinafter be 
referred to as detected fifth-type attack data) to the 

55 director 6. 

[0129] The above process is effected successively 
on all the IP packet groups whose destination IP 
addresses are the same as each other and belong to 
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the LAN 1. 

[0130] The director 6, which has been supplied with 
the detected fifth-type attack data from the sensor 5, 
rewrites the filter setting file of the firewall 2 in order to 
prevent IP packets having the same source IP 
addresses and destination IP addresses as the source 
IP addresses and destination IP addresses of the 
detected fifth-type attack data from entering the LAN 1 
for a predetermined time, e.g., 1 hour, from the present 
time. When IP packets having the above source IP 
addresses and destination IP addresses are transmitted 
from the Internet 3, the firewall 2 discards the IP packets 
and hence prevents them from entering the LAN 1 . In 
this fashion, the LAN 1 is protected against an attack of 
the fifth type trying to acquire a password. 
[0131] As in the process of detecting a port scan 
attack, if the director 6 is supplied again with the same 
detected fifth-type attack data as the previously given 
detected fifth-type attack data from the sensor 5 before 
the above predetermined time of 1 hour, required to pre- 
clude IP packets having the source IP addresses and 
destination IP addresses of the detected fifth-type 
attack data, elapses, then the director 6 controls the 
firewall 2 in order to prevent IP packets from the source 
IP addresses and destination IP addresses of the 
detected fifth-type attack data from entering the LAN 1 
for the predetermined time of 1 hour from the time at 
which the director 6 is supplied again with the detected 
fifth-type attack data. Therefore, insofar as an attack of 
the fifth type continues, IP packets having the source IP 
addresses and destination IP addresses of the attack of 
the fifth type cannot enter the LAN 1. If the director 6 is 
not supplied with detected fifth-type attack data before 
the above predetermined time of 1 hour elapses, then 
the director 6 cancels the blocking of IP packets having 
the source IP addresses and destination IP addresses 
of the detected fifth-type attack data against entry into 
the LAN 1 . 

[0132] Having carried out the process of detecting 
an attack of the fifth type as described above, the sen- 
sor 5 effects a process of detecting an attack of the sixth 
type (security hole attack). 

[0133] In this detecting process, the sensor 5 
searches for an IP packet having a printer logical name 
"Ipr" and a data size of 1 28 characters or more from 
each IP packet group of destination IP addresses 
belonging to the LAN 1 , of IP packet groups whose des- 
tination IP addresses are the same as each other. If 
such an IP packet is found, then the sensor 5 detects an 
attack of the sixth type on a through hole in a host in the 
LAN 1 . The sensor 5 gives data indicative of the attack 
of the sixth type and the data of the value of the source 
IP address and the data of the value of the destination 
IP address of the IP packet whose attack has been 
detected (the data will hereinafter be referred to as 
detected sixth-type attack data) to the director 6. 
[0134] The director 6, which has been supplied with 
the detected sixth-type attack data from the sensor 5, 



rewrites the filter setting file of the firewall 2 in order to 
prevent IP packets having the same source IP 
addresses and destination IP addresses as the source 
IP address and destination IP address of the detected 
5 sixth-type attack data from entering the LAN 1 for a pre- 
determined time, e.g., 4 hours, from the present time. 
When IP packets having the above source IP addresses 
and destination IP addresses are transmitted from the 
Internet 3, the firewall 2 discards the IP packets and 
70 hence prevents them from entering the LAN 1. In this 
fashion, the LAN 1 is protected against an attack of the 
sixth type on a through hole in a host in the LAN 1 . 
[0135] As in the process of detecting a port scan 
attack, if the director 6 is supplied again with the same 
15 detected sixth-type attack data as the previously given 
detected sixth-type attack data from the sensor 5 before 
the above predetermined time of 4 hours, required to 
preclude IP packets having the source IP addresses 
and destination IP addresses of the detected sixth-type 
20 attack data, elapses, then the director 6 controls the 
firewall 2 in order to prevent IP packets from the source 
IP addresses and destination IP addresses of the 
detected sixth-type attack data from entering the LAN 1 
for the predetermined time of 4 hours from the time at 
25 which the director 6 is supplied again with the detected 
sixth-type attack data. Therefore, insofar as an attack of 
the sixth type continues, IP packets having the source 
IP addresses and destination IP addresses of the attack 
of the sixth type cannot enter the LAN 1 . If the director 6 
30 is not supplied with detected sixth-type attack data 
before the above predetermined time of 4 hours 
elapses, then the director 6 cancels the blocking of IP 
packets having the source IP addresses and destination 
IP addresses of the detected sixth-type attack data 
35 against entry into the LAN 1 . 

[0136] As described above, the system for monitor- 
ing the LAN 1 for a cracker attack according to the 
above embodiment incorporates only the sensor 5 and 
the director 6 for detecting various attacks made by 
40 crackers against the LAN 1 on a real-time basis and 
automatically and quickly taking appropriate measures 
to protect the LAN 1 against the detected attacks. 
Therefore, the network administrator or the like of the 
LAN 1 is allowed to greatly reduce an expenditure of 
45 labor that is required to construct the LAN 1 in view of 
cracker attacks and the need to frequently refer to a log 
file, and hence is allowed to lower the cost of maintain- 
ing and managing the LAN 1. Since various attacks 
made by crackers against the LAN 1 can be detected on 
50 a real-time basis, it is not necessary to limit communica- 
tions between the LAN 1 and external networks when 
no attacks are detected. Usually, therefore, the freedom 
of communications of the LAN 1 can be increased, and 
information resources on the Internet can effectively be 
55 utilized. 

[0137] In the illustrated embodiment, the firewall 3 
is connected to the gateway of the LAN 1 . and when a 
cracker attack on the LAN 1 is detected, the firewall 3 is 
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controlled to automatically preclude the detected attack. 
However, when a cracker attack on the LAN 1 is 
detected, the detected attack may only be reported to 
the network administrator of the LAN 1 or a security 
manager assigned to the LAN 1 . 
[0138] According to such a modification; the direc- 
tor 6 or the sensor 5 is connected via a public or dedi- 
cated circuit to the host of the network administrator or 
the security manager When a cracker attack on the 
LAN 1 is detected, information such as the detected first 
through sixth attack data is transmitted from the director 
6 or the sensor 5 to the host of the network administra- 
tor or the security manager. In this case, a specific 
measure required to protect the LAN 1 against the 
detected attack is taken directly by the network adminis- 
trator or the security manager. Because the network 
administrator or the security manager is needed to take 
a necessary preventive action when the detected attack 
is reported and also because the type of the attack is 
detected, the network administrator or the security man- 
ager can take such an action against the attack rela- 
tively easily. 

[0139] In the illustrated embodiment, the processes 
of detecting attacks of the first through sixth types have 
been described as being successively carried out How- 
ever, the processes of detecting attacks of the first 
through sixth types may be performed parallel to each 
other. 

[0140] In the above embodiment, the system moni- 
tors the network for DoS (Denial of Service) cracker 
attacks such as Syn-flood, Teardrop, and Land attacks. 
However, the principles of the present invention are also 
applicable to the detection of cracker attacks known as 
Smurf and Floodie attacks. 

[0141] Although a certain preferred embodiment of 
the present invention has been shown and described in 
detail, it should be understood that various changes and 
modifications may be made therein without departing 
from the scope of the appended claims. 

Claims 

1 . A system for monitoring a network which performs 
communications based on IP (Internet Protocol), for 
a cracker attack, comprising: 

attack detecting means disposed at a gateway 
of the network, for successively acquiring IP 
packets passing through the gateway, storing 
the acquired IP packets accumulatively, and 
monitoring the stored IP packets to detect a 
cracker attack against the network; and 
processing means for effecting a predeter- 
mined process depending on the detected type 
of cracker attack when the attack detecting ss 
means detects the cracker attack. 

2. A system according to claim 1 , wherein said attack 



detecting means comprises means for receiving all 
IP packets passing through the gateway of the net- 
work. 

A system according to claim 2, wherein said attack 
detecting means comprises means for receiving 
only IP packets. 

A system according to claim 1 , wherein said attack 
detecting means comprises means for holding an 
algorithm for detecting a plurality of different types 
of cracker attacks, and detecting the types of 
cracker attacks from the IP packets acquired and 
stored by the attack detecting means based on said 
algorithm. 

A system according to claim 4, wherein said attack 
detecting means comprises means for classifying a 
plurality of the IP packets acquired and stored by 
the attack detecting means according to at least 
source IP addresses and/or destination IP 
addresses, and detecting the types of cracker 
attacks from the classified IP packets. 

A system according to claim 1 , wherein said attack 
detecting means comprises means for detecting a 
cracker attack of a first type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of IP pack- 
ets which are transmitted to the network from an 
external network within a predetermined time, and 
whose at least source IP addresses are the same 
as each other, and whose destination IP addresses 
or destination port numbers are different from each 
other. 

A system according to claim 1 , wherein said attack 
detecting means comprises means for detecting a 
cracker attack of a second type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of Syn IP 
packets based on TCP (Transmission Control Pro- 
tocol), which are transmitted to the network from an 
external network within a predetermined time, and 
whose at least destination IP addresses are the 
same as each other, and when an Ack IP packet 
based on the TCP which has the same source IP 
address and destination IP address as each of the 
Syn IP packets is not acquired within said predeter- 
mined time. 

8. A system according to claim 1 , wherein said attack 
detecting means comprises means for detecting a 
cracker attack of a second type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of 
Syn/Ack IP packets based on TCP (Transmission 
Control Protocol), which are transmitted to the net- 
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work from an external network within a predeter- 
mined time, and whose at least destination IP 
addresses are the same as each other, and when 
an Ack IP packet based on the TCP which has the 
same source IP address and destination IP address 5 
as the source IP address and destination IP 
address of each of said Syn/Ack IP packets is not 
acquired within the predetermined time. 

9. A system according to claim 1 , wherein said attack 10 
detecting means comprises means for detecting a 
cracker attack of a third type when the IP packets 
acquired and stored by the attack detecting means 
include at least a predetermined number of same 
divisions of an IP packet, which are transmitted to 15 
the network from an external network. 

1 0. A system according to claim 1 , wherein said attack 
detecting means comprises means for detecting a 
cracker attack of a fourth type when the IP packets 20 
acquired and stored by the attack detecting means 
include at least a predetermined number of IP pack- 
ets, which are transmitted to the network from an 
external network within a predetermined time, and 
whose source IP addresses are the same as desti- 25 
nation IP addresses thereof. 

11. A system according to claim 1 , wherein said attack 
detecting means comprises means for detecting a 
cracker attack of a fifth type when the IP packets 30 
acquired and stored by the attack detecting means 
include at least a predetermined number of IP pack- 
ets, which are transmitted to the network from an 
external network within a predetermined time in 
order to operate a host in the network, and whose 35 
user name data of the host are the same as each 
other and whose passwords of the host are different 
from each other. 

12. A system according to claim 1 , wherein said attack 40 
detecting means comprises means for detecting a 
cracker attack of a sixth type when the IP packets 
acquired and stored by the attack detecting means 
include an IP packet which has a data sequence 
having a predetermined pattern of data for attack- 45 
ing a buffer overflow security hole. 

13. A system according to claim 1, wherein said 
processing means comprises means for generating 

a report output representing the detection of the 50 
cracker attack in the predetermined process. 

14. A system according to claim 1, wherein said 
processing means comprises means for preventing 

an IP packet having a source IP address and/or a 55 
destination IP address associated with the attack 
detected by the attack detecting means, from enter- 
ing the network in the predetermined process, for a 



predetermined time after the attack detecting 
means detects the attack. 

15. A system according to claim 6, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address as 
the source IP addresses associated with the attack 
of the first type detected by the attack detecting 
means, from entering the network for a predeter- 
mined time after the attack detecting means detects 
the attack of the first type, in the predetermined 
process. 

16. A system according to claim 7, wherein said 
processing means comprises means for preventing 
an IP packet having the same destination IP 
address as each said Syn IP packet from entering 
said network for a predetermined time after said 
attack detecting means detects the attack of the 
second type, in said predetermined process. 

17. A system according to claim 16, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address as 
each said Syn IP packet from entering said network 
for a predetermined time after said attack detecting 
means detects the attack of the second type, in said 
predetermined process. 

18. A system according to claim 17, wherein said pre- 
determined time for which an IP packet having the 
same source IP address as each said Syn IP 
packet is prevented from entering said network is 
longer than said predetermined time for which an IP 
packet having the same destination IP address as 
each said Syn IP packet is prevented from entering 
said network. 

19. A system according to claim 8, wherein said 
processing means comprises means for preventing 
an IP packet having the same destination IP 
address as the source IP address of each said 
Syn/Ack IP packet from entering said network for a 
predetermined time after said attack detecting 
means detects the attack of the second type, in said 
predetermined process. 

20. A system according to claim 19, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address as 
the destination IP address of each said Syn/Ack IP 
packet from entering said network for a predeter- 
mined time after said attack detecting means 
detects the attack of the second type, in said prede- 
termined process. 

21. A system according to claim 20, wherein said pre- 
determined time for which an IP packet having the 
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same source IP address as the destination IP 
address of each said Syn/Ack IP packet is pre- 
vented from entering said network is longer than 
said predetermined time for which an IP packet 
having the same destination IP address as the 
source IP address of each said Syn/Ack IP packet 
is prevented from entering said network. 

22. A system according to claim 9, wherein said 
processing means comprises means for preventing 
an IP packet having the same destination IP 
address as the destination IP address of each said 
divided IP packet from entering said network for a 
predetermined time after said attack detecting 
means detects the attack of the third type, in said 
predetermined process. 

23. A system according to claim 22, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address as 
the source IP address of each said divided IP 
packet from entering said network for a predeter- 
mined time after said attack detecting means 
detects the attack of the third type, in said predeter- 
mined process. 

24. A system according to claim 23, wherein said pre- 
determined time for which an IP packet having the 
same source IP address as the source IP address 
of each said divided IP packet is prevented from 
entering said network is longer than the predeter- 
mined time for which an IP packet having the same 
destination IP address as the destination IP 
address of each the divided IP packet is prevented 
from entering said network. 

25. A system according to claim 10, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address 
and destination IP address as each of the IP pack- 
ets associated with the attack of the fourth type 
from entering the network for a predetermined time 
after the attack detecting means detects the attack 
of the fourth type, in the predetermined process. 

26. A system according to claim 11, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address 
and destination IP address as each said IP packet 
associated with the attack of the fifth type from 
entering said network for a predetermined time 
after said attack detecting means detects the attack 
of the fifth type, in the predetermined process. 

27. A system according to claim 12, wherein said 
processing means comprises means for preventing 
an IP packet having the same source IP address 
and destination IP address as the IP packet associ- 



ated with the attack of the sixth type from entering 
the network for a predetermined time after the 
attack detecting means detects the attack of the 
sixth type, in the predetermined process. 

5 

28. A system for monitoring a network which performs 
communications based on IP (Internet Protocol), for 
a cracker attack, comprising: 

io attack detecting means disposed at a gateway 

of the network, for successively acquiring IP 
packets passing through the gateway, storing 
the acquired IP packets accumulatively, holding 
an algorithm for detecting a plurality of different 

is types of cracker attacks, and monitoring to 

detect the types of cracker attacks from the 
acquired and stored IP packets based on the 
algorithm; and 

processing means for preventing an IP packet 
20 having a source IP address and/or a destina- 

tion IP address associated with the attack 
detected by the attack detecting means, from 
entering the network according to a predeter- 
mined process, for a time which is predeter- 
25 mined corresponding to the detected type of 

attack, after the attack detecting means detects 
one of the attacks. 

29. A system according to any one of claims 14 through 
30 28, further comprising a packet filter disposed at 

the gateway of the network, for selectively estab- 
lishing IP packets to be prevented from entering the 
network, the processing means comprising means 
for controlling the packet filter to perform the prede- 
35 termined process. 
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